- Access to the OpenAthens administration area at the domain level
- A SAML source and its metadata (either as a file or the web address where it is published).
- Access to the configuration of that SAML source
- A SAML source that supports TLS 1.2 and above, and complies with our SAML interoperability requirements (most will)follows the SAML standard
If you are migrating from an alternative IdP such as Shibboleth, also see: Migrating from your own IdP
- Permission set rules so that your users as assigned an appropriate set of resources
- Attribute mappings so that OpenAthens can make use of data passed it by your souce
- OpenAthens will cache these attributes when the user signs in, so changes in your directory won't be picked up until the next time the user starts an OpenAthens session.
When you're ready to go live, check both the live and visible boxes and then save. Your new connection should be testable a few seconds later.
Certificates - allows you to add a second certificate. Used when you need to change a server certificate on your end and want to minimise downtime for your users.
Advanced - Allows you to make several changes that are rarely necessary:
- switch between SAML versions should you
- have a source that can only handle the older SAML 1 profile
- switch the profile from Redirect to Post if your source insists on it
- enable signing of authentication requests (SHA-1 or SHA-256)
- if your source requires it
- enable the SAML
forceAuthnoption (forces your local source to re-authenticate any time the user is sent there - e.g. where users can have multiple affiliations within a consortium and your SAML source's session management makes it difficult for them to change).
Anything to watch out for?
When you use the refresh metadata button it will update everything in the connection with values from the metadata including endpoints , names and certificates. This will also undo any manual changes you have made on the advanced tab. The metadata URL can be removed to guard against this if you chooseIt won't change the name or any options on the other tabs.
If you are planning to pre-upload user identifiers, you will need to have at least one local account visible in the list to access the upload button. Do not delete all your test logins until at least some of your pre-mappings are uploaded.